Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ACE module dns rewrite

Hi all,

We're using the ACE with static NAT. We have three interfaces. One outside and two inside. On one of the insides we have a FTP server and on the other inside we have the client. The client needs to connect to the FTP server but he wants to connect on the public DNS name.

A classic example of DNS doctoring which can be solved by the ASA by doing doing:

static (bla,bla) blablabla dns

Now I've read that the ACE module does this automatically with dns inspection enabled:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/appinsp.html#wpmkr1310508

("Translates the DNS A-record based on the NAT configuration")

However I can't get it to work.

I have my inspection policy-map attached to all three interfaces and I am sure my DNS request goes through the ACE.

I see hits on the DNS inspection policy but the dns answer I get still has the public IP listed and not the internal one.

I hope my story is clear...

Anyone got a clue on how to figure this out? Anyone got a similar setup working?

Regards,

P.

2 REPLIES
Cisco Employee

Re: ACE module dns rewrite

Where is the dns server ?

Inside or outside ?

Our Inspection has no knowledge of inside/outside. It only performs nating from local to global.

So if the answer is already the global address, we don't do anything.

But I assume ACE is the default gateway for the client, so the traffic should still hit ACE which will be able to nat the traffic if you have the nating policy on the inside interface as well.

Gilles.

New Member

Re: ACE module dns rewrite

Hi Gilles,

The DNS server is on the outside. I don't get where the rest of your answer leads to but in the picture described here is a perfect good explanation:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

However I want it do be done by an ACE and not an ASA.

So is the ACE capable of rewriting an DNS packet when the client as well as the destination of the dns lookup is known to him?

249
Views
0
Helpful
2
Replies
CreatePlease to create content